Merge pull request #724 from kprajapatii/master

Profile picture could be removed if clicking a bad link CSRF - FIXED/SECURITY
AyeCode · Oct 31, 2023 · ac6dd90 · ac6dd90
2 parents bfa021e + 536a1f8
commit ac6dd90
Show file tree

Hide file tree

Showing 7 changed files with 77 additions and 52 deletions.
diff --git a/assets/js/users-wp.js b/assets/js/users-wp.js
@@ -113,14 +113,22 @@ jQuery(window).on('load',function () {
             var data = {
                 'action': 'uwp_upload_file_remove',
                 'htmlvar': htmlvar,
-                'uid': uid
+                'uid': uid,
+                'security': uwp_localize_data.basicNonce
             };
 
-            jQuery.post(uwp_localize_data.ajaxurl, data, function(response) {
-                $("#"+htmlvar+"_row").find(".uwp_file_preview_wrap").remove();
-                $("#"+htmlvar).closest("td").find(".uwp_file_preview_wrap").remove();
-                if($('input[name='+htmlvar+']').data( 'is-required' )){
-                    $('input[name='+htmlvar+']').prop('required',true);
+            jQuery.ajax({
+                url: uwp_localize_data.ajaxurl,
+                type: 'POST',
+                data: data,
+                dataType: 'json'
+            }).done(function(res, textStatus, jqXHR) {
+                if (typeof res == 'object' && res.success) {
+                    $("#"+htmlvar+"_row").find(".uwp_file_preview_wrap").remove();
+                    $("#"+htmlvar).closest("td").find(".uwp_file_preview_wrap").remove();
+                    if($('input[name='+htmlvar+']').data( 'is-required' )){
+                        $('input[name='+htmlvar+']').prop('required',true);
+                    }
                 }
             });
         });

diff --git a/assets/js/users-wp.min.js b/assets/js/users-wp.min.js
diff --git a/includes/class-files.php b/includes/class-files.php
@@ -282,23 +282,21 @@ public function validate_uploads($files, $type, $url_only = true, $fields = fals
             }
         }
 
-        if (!empty($fields)) {
-            foreach ($fields as $field) {
-                if(isset($files[$field->htmlvar_name])) {
+        if ( ! empty( $fields ) ) {
+            foreach ( $fields as $field ) {
+                if ( isset( $files[ $field->htmlvar_name ] ) && ! empty( $files[ $field->htmlvar_name ]['name'] ) ) {
+                    $file_urls = $this->handle_file_upload( $field, $files );
 
-                    $file_urls = $this->handle_file_upload($field, $files);
-
-                    if (is_wp_error($file_urls)) {
+                    if ( is_wp_error( $file_urls ) ) {
                         return $file_urls;
                     }
 
-                    if ($url_only) {
+                    if ( $url_only ) {
                         $validated_data[$field->htmlvar_name] = $file_urls['url'];
                     } else {
                         $validated_data[$field->htmlvar_name] = $file_urls;
                     }
                 }
-
             }
         }
 

diff --git a/includes/class-forms.php b/includes/class-forms.php
@@ -2178,47 +2178,51 @@ public function init_mail_form_fields( $form_fields, $type, $user_id ) {
 	 * @since   1.0.0
 	 */
 	public function upload_file_remove() {
+		check_ajax_referer( 'uwp_basic_nonce', 'security' );
 
-		$htmlvar    = strip_tags( esc_sql( $_POST['htmlvar'] ) );
-		$user_id    = (int) strip_tags( esc_sql( $_POST['uid'] ) );
-		$permission = false;
-		if ( $user_id == get_current_user_id() ) {
-			$permission = true;
+		$htmlvar = esc_sql( strip_tags( $_POST['htmlvar'] ) );
+		$user_id = ! empty( $_POST['uid'] ) ? absint( $_POST['uid'] ) : 0;
+
+		if ( empty( $user_id ) ) {
+			wp_die( -1 );
+		}
+
+		if ( ! ( is_user_logged_in() && ( $user_id == (int) get_current_user_id() || current_user_can( 'manage_options' ) ) ) ) {
+			wp_send_json_error( __( 'Invalid access!', 'userswp' ) );
+		}
+
+		// Remove file
+		if ( $htmlvar == "banner_thumb" ) {
+			$file = uwp_get_usermeta( $user_id, 'banner_thumb' );
+			$type = 'banner';
+		} else if ( $htmlvar == "avatar_thumb" ) {
+			$file = uwp_get_usermeta( $user_id, 'avatar_thumb' );
+			$type = 'avatar';
 		} else {
-			if ( current_user_can( 'manage_options' ) ) {
-				$permission = true;
-			}
+			$file = '';
+			$type = '';
 		}
-		if ( $permission ) {
-			// Remove file
-			if ( $htmlvar == "banner_thumb" ) {
-				$file = uwp_get_usermeta( $user_id, 'banner_thumb' );
-				$type = 'banner';
-			} elseif ( $htmlvar == "avatar_thumb" ) {
-				$file = uwp_get_usermeta( $user_id, 'avatar_thumb' );
-				$type = 'avatar';
-			} else {
-				$file = '';
-				$type = '';
-			}
 
-			uwp_update_usermeta( $user_id, $htmlvar, '' );
+		uwp_update_usermeta( $user_id, $htmlvar, '' );
 
-			if ( $file ) {
-				$uploads     = wp_upload_dir();
-				$upload_path = $uploads['basedir'];
-				$unlink_file = untrailingslashit( $upload_path ) . '/' . ltrim( $file, '/' );
+		if ( $file ) {
+			$uploads     = wp_upload_dir();
+			$upload_path = $uploads['basedir'];
+			$unlink_file = untrailingslashit( $upload_path ) . '/' . ltrim( $file, '/' );
 
-				if ( is_file( $unlink_file ) && file_exists( $unlink_file ) ) {
-					@unlink( $unlink_file );
-					$unlink_ori_file = str_replace( '_uwp_' . $type . '_thumb' . '.', '.', $unlink_file );
-					if ( is_file( $unlink_ori_file ) && file_exists( $unlink_ori_file ) ) {
-						@unlink( $unlink_ori_file );
-					}
+			if ( is_file( $unlink_file ) && file_exists( $unlink_file ) ) {
+				@unlink( $unlink_file );
+				$unlink_ori_file = str_replace( '_uwp_' . $type . '_thumb' . '.', '.', $unlink_file );
+
+				if ( is_file( $unlink_ori_file ) && file_exists( $unlink_ori_file ) ) {
+					@unlink( $unlink_ori_file );
 				}
 			}
 		}
-		die();
+
+		wp_send_json_success();
+
+		wp_die();
 	}
 
 	/**

diff --git a/includes/class-profile.php b/includes/class-profile.php
@@ -1882,12 +1882,25 @@ function updateCoords(c) {
 	}
 
 	public function ajax_profile_image_remove() {
-		$type = isset( $_POST['type'] ) ? strip_tags( esc_sql( $_POST['type'] ) ) : '';
-		if ( $type && in_array( $type, array( 'banner', 'avatar' ) ) ) {
-			$user_id = get_current_user_id();
-			uwp_update_usermeta( $user_id, 'banner_thumb', '' );
+		//check_ajax_referer( 'uwp_basic_nonce', 'security' ); // @todo pass security in AJAX request.
+
+		$type = ! empty( $_POST['type'] ) ? $_POST['type'] : '';
+
+		if ( ! in_array( $type, array( 'banner', 'avatar' ) ) ) {
+			wp_die( -1 );
 		}
-		exit();
+
+		$user_id = is_user_logged_in() ? (int) get_current_user_id() : 0;
+
+		if ( empty( $user_id ) ) {
+			wp_send_json_error( __( 'Invalid access!', 'userswp' ) );
+		}
+
+		uwp_update_usermeta( $user_id, $type . '_thumb', '' );
+
+		wp_send_json_success();
+
+		wp_die();
 	}
 
 	/**

diff --git a/includes/helpers/misc.php b/includes/helpers/misc.php
@@ -1325,6 +1325,7 @@ function uwp_get_localize_data(){
 		'uwp_pass_strength' => uwp_get_option("register_min_password_strength",0),
 		'uwp_strong_pass_msg' => uwp_get_option("register_uwp_strong_pass_msg",__("Please enter valid strong password.", "userswp")),
 		'default_banner' => uwp_get_default_banner_uri(),
+		'basicNonce' => esc_attr( wp_create_nonce( 'uwp_basic_nonce' ) )
 	);
 
 	return apply_filters('uwp_localize_data', $uwp_localize_data);

diff --git a/readme.txt b/readme.txt
@@ -150,6 +150,7 @@ Yes, you can customize it with Elementor, but also with Gutenberg, Divi, Beaver
 * Super Duper updated to v1.1.27 - UPDATED
 * FontAwesome package updated to v1.1.6 - UPDATED
 * AyeCode UI updated to v0.2.0 - UPDATED
+* Profile picture could be removed if clicking a bad link CSRF - FIXED/SECURITY
 
 = 1.2.3.22 =
 * Translated UWP screen id breaks admin pages UI - FIXED